Plattform
wordpress
Komponente
inquiry-form-to-posts-or-pages
Behoben in
1.0.1
CVE-2026-6293 describes a Cross-Site Scripting (XSS) vulnerability affecting the Inquiry Form to Posts or Pages plugin for WordPress. This vulnerability allows attackers to inject malicious scripts due to missing nonce validation and inadequate input sanitization. The issue impacts versions 1.0.0 through 1.0, and a fix is expected in a future plugin release.
An attacker can exploit this vulnerability to inject arbitrary JavaScript code into the WordPress site. This code can then be executed in the context of any user visiting the affected page, potentially leading to session hijacking, defacement of the website, or redirection to malicious sites. The stored nature of the XSS means the payload persists until removed, affecting multiple users. This vulnerability is particularly concerning as it can be triggered without authentication, making it accessible to a wide range of attackers.
This vulnerability was publicly disclosed on 2026-04-15. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of writing. Given the relatively recent disclosure and the lack of public exploits, the immediate exploitation probability is considered low, but vigilance is still required.
Websites using the Inquiry Form to Posts or Pages plugin, particularly those running WordPress versions that haven't been regularly updated, are at risk. Shared hosting environments where plugin updates are managed by the hosting provider are also at increased risk, as users may not have direct control over plugin versions.
• wordpress / composer / npm:
grep -r "$_POST['inq_hidden'] == 'Y'" /var/www/wordpress/wp-content/plugins/inquiry-form-to-posts-or-pages/• wordpress / composer / npm:
wp plugin list --status=inactive | grep 'inquiry-form-to-posts-or-pages'• wordpress / composer / npm:
wp plugin list | grep 'inquiry-form-to-posts-or-pages'disclosure
Exploit-Status
EPSS
0.01% (1% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to upgrade to a patched version of the Inquiry Form to Posts or Pages plugin when available. Until a patch is released, consider disabling the plugin entirely to prevent exploitation. As a temporary workaround, implement a Web Application Firewall (WAF) rule to filter out suspicious POST requests to the plugin’s settings update handler, specifically looking for the inq_hidden=Y parameter. Regularly scan your WordPress installation for vulnerable plugins using security scanning tools.
Kein bekannter Patch verfügbar. Bitte überprüfen Sie die Details der Schwachstelle eingehend und setzen Sie Schutzmaßnahmen basierend auf der Risikobereitschaft Ihrer Organisation um. Es kann am besten sein, die betroffene Software zu deinstallieren und eine Alternative zu finden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-6293 is a Cross-Site Scripting (XSS) vulnerability in the Inquiry Form to Posts or Pages WordPress plugin, allowing attackers to inject malicious scripts due to missing nonce validation and insufficient sanitization.
You are affected if you are using the Inquiry Form to Posts or Pages plugin in WordPress versions 1.0.0 through 1.0 and have not upgraded to a patched version.
Upgrade to the latest version of the Inquiry Form to Posts or Pages plugin as soon as a patch is released. As a temporary workaround, disable the plugin or implement a WAF rule.
While no public exploits are currently known, the vulnerability's ease of exploitation suggests it could be targeted by attackers.
Check the plugin developer's website or the WordPress plugin repository for updates and security advisories related to CVE-2026-6293.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.